Admins work overtime as Microsoft fixes Office with bumper 7 patches
From desktop to server and back
Microsoft’s September Patch Tuesday will hand admins hours of unwanted overtime, including applying an unusually high number of patches affecting Office plus three critical patches for SharePoint Server.
Of the 14 bulletins, the fact that half affect Office is probably the standout news. Only two of these seven are rated ‘critical’, but that does include one flaw (bulletin 2) that can be triggered simply by previewing an email in Outlook 2007 service pack 3 or all versions of Outlook 2010.
That’s a warning shot. Most Office vulnerabilities require some form of user interaction but this one is open to exploit even when an email is not opened.
Related Articles on Techworld
Elsewhere, SharePoint Server also takes a big hit, affected in bulletin 1 across all versions and Service Packs from Microsoft SharePoint Portal Server 2003 Service Pack 3 to Microsoft SharePoint Server 2013.
“Given the complexity of SharePoint and its services it’s no wonder it’s patched so frequently,“ commented Tyler Reguly of vulnerability and security management firm Tripwire.
“It’s amazing that Microsoft is still supporting Frontpage 2003 and SharePoint Portal Server 2003. These platforms are 10 years old, and from a software lifecycle point of view, it's time to let them die and have customers upgrade,” he said.
Overall, four of the fourteen September 2013 bulletins are rated 'critical'.
“If you are running a Microsoft heavy shop and have significantly invested in the back office technology of Sharepoint and all its glorious services, then this month is going to be very busy for you,” agreed Ross Barrett of security firm Rapid7.
Other security experts are more worried by the number of flaws Microsoft is running up.
As Wolfgang Kandek of Qualys pointed out in an analysis, 14 bulletins brings Microsoft to the 80 mark for 2013, which means the firm will likely surpass last year’s total of 82 and almost certainly beat even 2011’s 100.
This was a “good reflection of how challenging the computer security business continues to be,” he said.
The whack taken by Office is also significant, with the number for the suite already matching the number for the whole of 2012. However, it is still unlikely that Office will exceed the 30 for 2011 and high points of 2008 and 2011, which saw 55 each.